KR20110113565A - Secure access to a private network through a public wireless network - Google Patents

Abstract

Systems, methods, and computer program products are disclosed in which a client device securely accesses a private network via a public wireless network. The system establishes a first network tunnel between the client device and a gateway of the public wireless network, and then authenticates the client device with an authentication server of the private network using the first tunnel. The authentication is proxied by an authentication server of the public network. If the authentication is successful, a second tunnel is established between the client device and the gate of the private network for secure access by the client device to the private network.

Description

SECURE ACCESS TO A PRIVATE NETWORK THROUGH A PUBLIC WIRELESS NETWORK}

The present invention generally relates to computer networks, and more specifically to methods and systems for secure access to enterprise private networks over public or third party wireless networks.

The communication network may be either a private network or a public network. In a private network, communication between multiple computers occurs in a secure environment that prevents access from outside the network without proper authentication. These networks are considered "trusted" networks. This is because the communication signals travel securely from one computer to another within the private network without being exposed to the external environment.

On the other hand, public networks such as the Internet are not secure. Because communication over these networks is not private, interception by other computers occurs frequently. The public network may also ensure delivery of transmitted data packets. The public network may allow packets to be injected into or out of the network indiscriminately during transmission and may also be analyzed. In order to keep data transmitted over a public network private, a virtual private network (VPN) is often established on top of that public network when two computers communicate with each other using a public network. In a VPN, data sent from one computer to another is encrypted by a security gateway and sent in encrypted form to a second secure gateway connected to the receiving computer via its public network. The second gateway decrypts the data before delivering it to the receiving computer. This private channel established on top of another network is called a network tunnel.

To set up a VPN, the user first establishes a route to the VPN server and then AAA processes (authentication, authorization, accounting) for identification and authorization. Pass through to create a secure tunnel with that server. Once the user is authorized, a secure network tunnel is established between the user and the VPN server over the public network using a VPN protocol such as IPsec. This process requires a VPN client on the user side as well as appropriate user configurations, and a VPN server and other VPN hardware on the other side of the tunnel.

Today's private networks often include wireless networks such as WiMAX to accommodate mobile access. In addition, to provide mobility access within a large geographic area, private enterprises often rely on a third wireless infrastructure in addition to their wireless network. In this case, the user's device needs to be authenticated by a third gateway and an enterprise authentication server before being able to access the enterprise network. User credentials are typically required by the third gateway and returned securely to the third gateway. Once the user is authenticated and authorized, the user can communicate with the third wireless gateway.

However, in order to access the corporate private network when traversing the public network, the user still needs a secure connection between the user's device and the corporate VPN server. As a result, in an environment including a third wireless carrier network, a user must be authenticated and authorized by both the public gateway and the corporate authentication server in order to access the private corporate network.

Thus, there remains a need in the art for improved systems and methods for securely communicating with private networks over public or third party wireless networks without the aforementioned disadvantages.

The present invention relates to a computer network system, a method and a computer program product for securely accessing a private network of an enterprise via a public or third carrier wireless network. The network system includes a public gateway for establishing a first network tunnel between the client device and a gateway when the client device is authenticated by an authentication server of the public network. The authentication server then acts as a proxy for authenticating the client device to the authentication server of the private network using the first tunnel. If the client is successfully authenticated to the authentication server of the private network, a second network tunnel is established between the client device and the private network to allow secure client access.

In embodiments of the present invention, the network tunnels may be challenged using a challenge-response authentication protocol such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). Is established. The authentication includes an exchange between the client and the server on client users' security credentials and public-private encryption key pairs. Data packets associated with the authentication of the client device with the private authentication server are encrypted and forwarded unchanged by the public gateway to the private authentication server. In embodiments of the invention the public wireless network is a WiMAX wireless network.

In another embodiment of the present invention, a method is described in which a client securely accesses a private network via a public wireless network. The method includes establishing a first tunnel to a gateway of a public wireless network connected to the private network, and authenticating the client device with an authentication server of the private network using the first tunnel, wherein the authentication A server connected to a gateway of the private network. If the authentication is successful, a second tunnel is established between the client and the private gateway to enable secure access to the private network.

In another embodiment of the present invention, a computer program product is described in which a client device securely accesses a private network via a public wireless network. The product includes a computer usable storage medium, which has readable program code embodied therein. The program code establishes a first tunnel to a gateway of a public wireless network connected to the private network, authenticates the client device with an authentication server of the private network using the first tunnel, and secures the private network. A second tunnel is established between the client device and the private network gateway to enable enemy client access.

Details of the preferred embodiments of the present invention, namely the structure and operation of the preferred embodiments of the present invention, are described in detail in the following detailed description with reference to the accompanying drawings, in which like reference numerals are used. Reference numerals refer to similar parts. The above-mentioned means for solving the problems is provided to identify important features of the subject matter of the present invention, and is not intended to limit the scope of the subject matter of the present invention.

1 is a block diagram illustrating an exemplary secure network tunnel established between two networks via the Internet.
2 is a block diagram illustrating an example of an encapsulated data packet for transmission over a secure network tunnel.
3 is a block diagram illustrating a network configuration that allows client devices to access a private network through a public wireless network using a VPN server and security firewalls.
4 is a block diagram illustrating an example of a network arrangement that allows client devices to access a private network over a public wireless network where client authentication is proxied by a public authentication server, in accordance with aspects of the present invention. to be.
5 illustrates interactions between a client device, an authentication server in a gateway and a wireless public network, and an authentication server in a gateway and a private network, to provide secure client access to a private network, in accordance with embodiments of the present invention.
6 is a flowchart of an example of a process for a client device to authenticate and establish a secure network tunnel to a private network over a public wireless network, in accordance with aspects of the present invention.
7 is a flowchart of an example of a process in which a client device is authenticated by an authentication server and gateway in a public wireless network to establish a first secure network tunnel, in accordance with aspects of the present invention.
8 is a flowchart of an example of a process in which a client device is authenticated by an authentication server and a gateway of a private network to establish a second secure network tunnel, in accordance with aspects of the present invention.

As will be appreciated by those skilled in the art, aspects of the present invention may be embodied as a method, system or computer program product. Thus, aspects of the invention may take the form of entirely hardware embodiments, may take the form of entirely software embodiments (including firmware, resident software, micro-code, etc.), or software and hardware aspects—these All may generally take the form of embodiments incorporating "circuits", "modules" or "systems" within the present specification. Furthermore, aspects of the present invention provide a computer implemented in one or more computer readable medium (s), wherein the one or more computer readable medium (s) have computer readable program code implemented therein. It may take the form of a program product.

Any combination of one or more computer readable medium (s) may be used. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium may be, for example, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a suitable combination thereof. However, it is not limited to these examples. More specific examples (but not all) of the computer readable storage medium may include the following. That is, an electrical connection with one or more wires, a portable computer diskette, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory, EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), optical storage device, magnetic storage device, or a suitable combination thereof. In the context of this document, a computer readable storage medium may be embodied as a physical substance that can include or store a program for use by, or for use with, an instruction execution system, apparatus, or device. It may be a medium.

The computer readable signal medium may comprise a data signal propagating with the computer readable program code (eg, at baseband or as part of a carrier wave). This propagating signal can take any of a number of forms, including, for example, electro-magnetic, optical, or a suitable combination thereof. However, it is not limited to these examples. The computer readable signal medium is not a computer readable storage medium, which carries a program for use by or in conjunction with an instruction execution system, apparatus, or device. Can propagate, transmit.

Program code embodied on a computer readable medium may be transmitted using any suitable medium. For example, a wireless, wired, fiber optic cable, RF, or the like, or a suitable combination thereof, is not limited thereto.

Computer program code for performing operations for aspects of the present invention may be written in a combination of one or more programming languages. Examples of this programming language include, but are not limited to, object-oriented programming languages such as Java, Smalltalk, C ++, traditional procedural programming languages such as "C" programming language, or similar programming languages. The program code, as a standalone software package, may be executed entirely on the user's computer, partially on the user's computer, or partially on the user's computer and partially on the remote computer, or entirely on the remote computer or server. . In the latter case, the remote computer can be connected via any type of network, examples of which include a local area network (LAN) and a wide area network (WAN). Alternatively, the connection can be made to an external computer (eg, via the internet using an internet service provider).

Aspects of the present invention are described below with reference to flowcharts and / or block diagrams related to methods, apparatuses (systems) and computer program products according to embodiments of the present invention. It should be understood that each block of the flowcharts and / or block diagrams, and the combination of blocks in the flowcharts and / or block diagrams, may be executed by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, dedicated computer, or other programmable data processing device to generate a machine. Thus, when the machine is executed through a processor of the computer or other programmable data processing apparatus, it is possible to create means for implementing the functions / acts specified in the block or blocks in the flowchart and / or block diagram.

These computer program instructions may also be stored on a computer readable medium. The computer readable medium may be embodied by a computer, other programmable data processing apparatus, or other devices in a particular manner such that the instructions stored on the computer readable medium may be specified in a block or blocks of a flowchart and / or block diagram. Create an article of manufacture comprising instructions to execute.

The computer program instructions may also be loaded on a computer, other programmable data processing apparatus, or other devices such that a series of operating steps are performed on the computer, other programmable device, or other devices to implement a computer-implemented process. Create it. Thus, when the instructions are executed on the computer or other programmable device, it provides a process for implementing the functions / acts specified in the block or blocks in the flowchart and / or block diagram.

Flow diagrams and block diagrams in the drawings described below illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products in accordance with various embodiments of the present invention. In this regard, each block in the flowchart or block diagram may represent a module, segment, or code portion, which includes one or more executable instructions for implementing the specified logical function (s). It should also be noted that in some other implementations, the functions depicted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may in fact be executed concurrently, or the blocks may sometimes be executed in the reverse order, depending on the functionality involved. In addition, each block of the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, may be implemented by dedicated hardware-based systems, which may be implemented by dedicated hardware and computer instructions. Perform certain functions or actions, or combinations.

The present invention relates to secure and remote client access of an enterprise's private network, where the client authentication to the private network is proxied by a public or third party wireless network. More specifically, the client authentication to the private network is performed by a public authentication server via a secure network tunnel established on the public or third wireless network. Although embodiments of the present invention are not limited to public or third party wireless networks, they leverage the architecture used in many wireless networks, especially WiMAX networks, for authenticating the client. Both the Authentication, Authorization, and Accounting (AAA) processes and management of the secure tunnel to the private gateway of the enterprise are proxied by the public authentication server and gateway in the public network.

Secure remote wireless access is performed without the need for a VPN server, VPN client, or VPN hardware. This saves equipment, supports the cost to the enterprise, and provides the user a seamless connection. Roaming between corporate wireless and public networks occurs automatically without any user intervention, such as starting a VPN client. In addition to the reduced infrastructure, companies can eliminate the costs associated with maintaining and managing VPN servers.

This will now be described with reference to FIG. 1. 1 illustrates a typical virtual private network 100 established over the public internet 114. The virtual private network 100 includes a secure network tunnel 115 between trusted networks 110 and 119. Trusted network 100 includes a number of computers 111 connected to each other by network 112. Trusted network 119 includes a number of computers 117 connected to each other by network 118. Networks 112 and 118 are typically LANs (eg, Ethernet networks), which are connected to the public Internet through security gateways 113 and 116 respectively.

A network tunnel 115 between two networks 110 and 119 is established at the top of the underlying internet 114. Data movement through the tunnel 115 is encapsulated from the traffic of the Internet 114 without being visible to the traffic of the Internet 114. Traffic in tunnel 115 looks to the internet 114 as another traffic stream to be passed. In addition, data packets with a payload between two networks 110 and 119 are encapsulated in packets of the Internet Protocol, with additional packet identification and security information.

2 is an example of data packets transmitted over an IPsec-based VPN such as tunnel 115. The data packet 210 may be sent from the host 111 or 117 to other computers in the network. The data packet 210 includes an IP header 211 and a data field 212. IP header 211 typically includes the data type, packet number, total number of packets transmitted, and the IP addresses of the sender and receiver. In order to keep the contents of IP header 211 and data field 212 private to the sender and receiver, this larger data packet when larger data packet 213 is transmitted over the Internet These fields are included at 213.

The data packet 213 includes a new IP header 214 and an Encapsulating Security Payload (ESP) header 215. The new IP header 214 and the ESP header 215 are composed of an external IP header ( Outer IP header 216. Original IP header 211 and data field 218 are referred to as Inner IP header 219 of packet 213. For additional security protection, The inner IP header 219 and the original data field 212 are generally encrypted by the sending node prior to transmission and then decrypted by the receiving node.

3 shows an example of a network configuration that allows mobile users and client devices to access the Internet using a private intranet and VPN server over a carrier wireless network. A wireless network, such as carrier network 314, transmits data over the air. The transmitted data can be received by someone within the range of a radio-frequency (RF) signal. Client device 310 may be a portable computer or communication device with integrated 802.1X wireless and may support data encryption and client authentication. The client device 310 communicates with a public wireless network 314 or a carrier's gateway 312 via a wireless antenna 311. The carrier or public wireless network 314 may be a WiMAX wireless network. Client device 310 typically needs to be authenticated and authorized by an authentication (AAA) server 313 of public network 314 when client device 310 is first connected to gateway 312.

To protect data transmitted over public or carrier network 314 from unauthorized users, most wireless technologies (including WiMAX) authenticate users and transfer data between end user devices and a private network. Adopt secure tunnels to exchange. The tunnels, like gateway 312, terminate at an access point of the wireless network or common gateway, where all access points communicate with it. WiMAX and other wireless networks generally use a challenge-response protocol such as Extensible Authentication Protocol (EAP) to authenticate users. End user credentials are requested and returned securely to the wireless gateway 312 verifying that the user is authorized to use the public wireless network 314. One way of authenticating a user is to pass client credentials to an authentication server 313, eg, a RADIUS server or a DIAMETER server. Once the user is authenticated and authorized, a secure tunnel is established from the user device 310 to the wireless network 314 or gateway 312 so that data can be securely exchanged over the public wireless network 314.

If the wireless network 314 is in the enterprise, the client device 310 may begin accessing the private network 316 of the enterprise. However, this is not often the case, and often the wireless network 314 is typically operated by a third carrier that provides access to the Internet 315. The corporate private network 316 is also connected to the Internet 315 to allow for wider remote access ranges. As a result, the enterprise typically has a VPN server 317, which is accessible from the Internet 315, so that the client device 310 of the user can access the enterprise network 316. Require authentication and authorization by the VPN server 317 before being present. If the client device 310 is authenticated and authorized, then another secure tunnel is established from the end user's client device 310 to the corporate VPN server 317.

Also shown in FIG. 3 is a user's client device 320 on an enterprise's premise that accesses an enterprise's private network 316 via an on-campus wireless network. The on-campus wireless network includes a wireless antenna 319 through which the client device 320 is connected to the wireless gateway 321. Wireless gateway 321 is coupled to corporate authentication server 322 and corporate private network 316. Enterprise authentication server 322 handles authentication and authorization of client device 320 when it first accesses the enterprise's on-campus wireless network. The network configuration of FIG. 3 is driven by the ability to deliver both carrier wireless services over a macro network (e.g., network 314) and connections within a private campus / building via a pico cell network. It shows one of the strengths of WiMAX.

4 shows a network configuration that enables client access to an enterprise's private network via a carrier or public wireless network (eg, WiMAX), in accordance with embodiments of the present invention. The client device 410 communicates with a gateway 412 of a carrier or public wireless network 414 via a wireless antenna 411. Client device 410 is authenticated and authorized by authentication server 413 of public network 414 when client device 410 is first connected to public gateway 412.

Once a network tunnel is established between the client device 410 and the public gateway 412, the public authentication server 413 acts as a proxy to allow the client device 410 to be authenticated and authorized for access to the corporate private network 416. Works. The proxied client authentication is described in detail below with reference to FIGS. 5-8. As an example, the corporate private intranet 416 is shown to be accessible from the public or carrier wireless network 414 via the Internet 415 and the gateway 417 of the private internetwork 416. Access to the private network 416 via the intranet 415 is further protected from unauthorized clients by the firewalls 423 and 424.

4 also shows an end user client device 420 on the premise of an enterprise accessing an enterprise private network 416 via an on-campus wireless network. The on-campus wireless network includes a wireless antenna 419, through which the client device 420 is connected to the wireless gateway 421. The wireless gateway 421 is thus connected to an enterprise authentication (AAA) server 422 and a corporate private network 416. The enterprise authentication server 422 handles authentication and authorization of the client device 420 as described below with reference to FIGS. 5-7.

Referring now to FIG. 5, FIG. 5 illustrates a process by which a client accesses a private network in accordance with embodiments of the present invention, where the client authentication is proxied by an authentication server and gateway in a public wireless network. Client device 510 accesses public wireless network 514 via wireless gateway 512 of public network 514. The client 510 is authenticated by the authentication (AAA) server 513 of the public network and then connected to the gateway 512 via the wireless link 511. Typically, end user credentials are requested from the client device 510 by the wireless gateway 512. Gateway 512 then verifies from the returned credentials whether the user is authorized to use public wireless network 514. One way to verify a user is to pass client credentials to an authentication (AAA) server 513. When the user is authenticated and authorized by the authentication server 513, a first network tunnel 525 is established from the user device 510 to the wireless gateway 512.

5 further shows an enterprise's private network 516 connected to the public network 514 via the Internet 515 and a private network gateway 517. Alternatively, private network 516 may be connected to process network 514 via other types of communication channels, such as leased telephone lines or fiber optic links.

When the first network tunnel 525 is established, the authentication server 513 may be configured for authentication server 522 associated with the enterprise private network 516 to authenticate the client device 510 for access to the private network 516. Proxy the request. In embodiments of the present invention, the client device 510 is authenticated using a challenge-response protocol, such as the Extensible Authentication Protocol (EAP) described below. After client device 510 is authenticated and authorized by authentication server 522, client device 510 and private network gateway 517 to securely access device 510 to private network 516. A second network tunnel 526 is established in between. Authentication of the client device 510 by the authentication server 522 and establishment of the second network tunnel 526 are described with reference to FIGS. 6-7.

EAP  certification

In embodiments of the present invention, client authentication for a wireless network is based on the implementation of Extensible Authentication Protocol (EAP). EAP is an authentication framework commonly used in wireless networks and point-to-point connections. The EAP framework is not limited to wireless networks and may also be used for wired LAN authentication, but is more common in wireless environments. The EAP framework provides port based authentication, which relates to communications between the supplicant (client), authenticator, and authentication server. The supplicant is often software on a client device such as a laptop, the authenticator is a wired or wireless access point, and the authentication server is typically host execution software that supports the EAP implementation.

The authenticator acts as a security guard for the protected network. Until the identity of the supplicant is verified and authenticated, the supplicant (client device) is not allowed access through the authenticator to the protected side of the network. In some authentications, the supplicant provides credentials to the authenticator, such as a username / password or a digital certificate, and the authenticator passes the credentials to the authentication server for verification. If the credentials are verified to be valid for the authentication server's database, the supplicant (client device) is allowed to access resources located on the protected side of the network.

A typical authentication process consists of the following steps.

Initialization: Upon detection of a new client (suppliant), the port for the authenticator is enabled and set to the "unauthorized" state.

Initiation: To initiate the authentication, the authenticator periodically sends an EAP-Request Identity frame to the specified address. The supplicant listens for this address and upon receipt of the EAP-request identity frame, it responds to an EAP-response identity frame containing a supplicant identifier. The authenticator then seals this identity response and forwards it onto the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-start frame to the authenticator.

Negotiation: The authentication server sends a response to the authenticator, which includes an EAP request specifying the EAP method that the supplicant wants to perform. The authenticator seals the EAP request in an EAPOL frame and sends it to the supplicant. The supplicant may respond to another EAP method it is willing to perform, or may initiate the requested EAP method.

Authentication: If the authentication server and supplicant agree to the EAP method, EAP requests and responses are communicated with the supplicant until the authentication server responds to either an EAP-success message or an EAP-failure message. Sent between the authentication servers (translated by the authenticator). If authentication is successful, the authenticator sets the port to an "authorized" state and normal traffic is allowed.

In an embodiment of the invention, the EAP-Transport Layer Security (EAP-TLS) protocol is used to authenticate a wireless client device. The EAP-TLS provides strong security for secure communication with an authentication server, uses client-side certificates in the authentication, and is supported by most client operating systems.

During EAP-TLS authentication, the network client initially verifies the identity of the authentication server by validating the server's TLS signature. The client and server will then derive a symmetric key to protect the next step of the EAP authentication, where the identity of the client is verified by the server. The authentication server sends an EAP-Request / Identity Packet to the client, and the Client responds to the EAP-Response / Identity Packet to the authenticator that includes the Client-ID of the Client. If the identity of the client is received, the EAP server responds to an EAP-TLS / start packet.

Then, the EAP-TLS conversation will begin, where the client sends an EAP-response packet. The EAP server then responds to an EAP-Request packet. The EAP-Request packet includes a handshake, TLS certificate, server_key_exchange, and certificate_request messages. This information is encapsulated in the EAP-Request packet. The certificate message includes a public key signature chain for a key exchange public key (eg RSA or Diffie-Hellman key exchange public key) or a signing public key (eg RSA or digital signature standard signature public key). .

A certificate_request message is included if the server wants the peer to authenticate itself via a public key. If the peer supports and uses EAP-TLS, it responds to the EAP-Request with an EAP-Response Packet of EAP-Type = EAP-TLS. The peer includes a certificate for the peer's signing public key, and the peer's signed certificate responds to the EAP server. After receiving this packet, the EAP server will verify the peer's certificate and digital signature, if requested.

If the peer's authentication is not successful, the EAP server sends an EAP-request packet with EAP-Type = EAP-TLS, which encapsulates the TLS record containing the appropriate TLS alert message. If the peer successfully authenticates, the EAP server responds with an EAP-request packet with EAP-Type = EAP-TLS, which includes the terminated handshake messages. The peer then verifies the terminated message by sending an EAP-response of EAP-Type = EAP-TLS, and has no data. The EAP server responds to an EAP-Success message to terminate the authentication process.

Authentication peer Certifier <-EAP-Request / Identity EAP-Response / Identity (MyID)-> <-EAP-Request / EAP-Type = EAP-TLS
(Start TLS) EAP-Response / EAP-Type = EAP-TLS (TLS client_hello)-> <-EAP-Request / EAP-Type = EAP-TLS
(TLS server_hello, TLS certificate, [TLS server_key_exchange,], TLS certificate_request, TLS servo_hello_done) EAP-Response / EAP-Type = EAP-TLS (TLS Certificate, TLS Client_Key_Exchange, TLS Certificate_Verify, TLS Exchange_cipher_spec, TLS Exit)-> <-EAP-Request / EAP-Type = EAP-TLS
(TLS exchange_cipher_spec, TLS exit) EAP-Response / EAP-Type = EAP-TLS-> <-EAP-Success

Table 1 is a summary of the exchange of authentication messages between peer (client device) and authenticator when EAP-TLS mutual authentication is successful.

identity  Verification( IDENTITY VERIFICATION )

As part of the TLS negotiation, the server provides a certificate to the peer, and if mutual authentication is requested, the peer provides a certificate to the server. The EAP-TLS Peer-ID provides an identity to be used for access control and accounting purposes. The server-Id provides an identity of the EAP server. The Peer-Id and Server-Id together identify entities associated with deriving the public / private key pair. In the EAP-TLS protocol, the peer-Id and server-Id are determined from the peer and server certificates.

Certificate Verification ( CERTIFICATION VALIDATION )

The EAP-TLS server is typically connected to the Internet and supports verifying the peer certificate. If the EAP-TLS server is unable to retrieve intermediate certificates, it will need to be preconfigured with the necessary intermediate certificates to complete path validaton, or it may be part of the TLS handshake. It will rely on the EAP-TLS peer to provide this information. If a TLS session is established, the EAP-TLS peer and server implementations verify that the identities provided in the certificate are appropriate and authorized for use with EAP-TLS. The authorization process uses the contents of the certificates as well as other contextual information. Authorization is based on the EAP-TLS Peer-Id and Server-Id.

6 is a flow diagram of an example process in which a client device is recognized prior to accessing a private network in accordance with aspects of the present invention. At block 611, a network tunnel is first established between the client device and a public or third party carrier wireless network. Then, at block 612, the client device is authenticated with an authentication server of the private network of the enterprise using the first tunnel. If the client device is authenticated by the authentication server associated with the private network, a second network tunnel between the client device and a gateway of the private network to allow the client to securely access the private network at block 613. Is set up.

7 is a flow diagram of an example process for authenticating the client device and establishing the first network tunnel (from block 611) by the authentication server of the public network. At block 722, the client device sends an “EAP-Start” to the gateway of the public or carrier wireless network. The public gateway then requests the client's identity information at block 712. In block 713, the client device responds to the public gateway with a " realm " message containing client identity data. If the client's identity is verified by the public network gateway, the gateway contacts the authentication server connected to the public gateway and requests the authentication server to authenticate and authorize the client device, as shown in block 714. . The authentication server of the public network performs a client authentication process such as EAP authentication as described above in block 715. If the authentication is successful, a first secure network tunnel is set up at block 716 between the client device and the gateway of the public wireless network.

8 is a flow diagram of an example process for authenticating the client device to a private network using the first tunnel (from block 612) and establishing a second tunnel between the client and a private network gateway (from block 613). Shows. If a first network tunnel is established between the client device and the public gateway, then at block 811, the authentication server of the public network is configured to initiate client authentication to the private network via the first tunnel. Send the request to. At block 812, the enterprise authentication server initiates authentication of the client device (preferably using an EAP process).

As described above, the EAP authentication includes a request for client security credentials from a client device (block 813), and exchanges public / private keys between the client device and the private authentication server (block 814). Include. Requests and responses regarding the credentials and public / private keys are proxied by the authentication server and gateway of the public network via the first network tunnel. At block 815, if the client device is successfully authenticated and authorized by the private authentication server, at block 816, a second network tunnel is established between the client device and the private gateway. The client device now begins secure access to the private network through the second tunnel.

The subject matter of the invention described above is provided for the purpose of illustration only and should not be construed as limiting the invention. It is evident that various modifications and alternatives to the described components and operations can be implemented by those skilled in the art without departing from the spirit and scope of the invention as defined in the claims below. Therefore, the scope of the present invention should be construed broadly to encompass all such modifications and equivalent structures. As will be appreciated by those skilled in the art, the systems, methods, and procedures described herein may be implemented in a programmable computer, computer executable software, or digital circuitry. The software may be stored on a computer readable medium. For example, computer readable media may include floppy disk, RAM, ROM, hard disk, removable media, flash memory, "memory stick", optical media, magneto-optical media, CD-ROM, and the like.

Claims (23)

A network system in which a client device securely accesses a private network through a public wireless network,
A public gateway coupled to the public network and having a first network tunnel to the first client device;
A private authentication server coupled to the private network for authenticating the client device, wherein the client device authentication is proxied by an authentication server of the public network through the first tunnel; And
A private gateway, coupled to the private network and a public authentication server, having a second network tunnel to the client device;
Network system. The method of claim 1, wherein the first and second tunnels are established using a challenge-response authentication protocol.
Network system. The method of claim 1, wherein the first and second tunnels are established using Extensible Authentication Protocol (EAP).
Network system. 4. The method of claim 3, wherein the extensible authentication protocol is an extensible authentication protocol-transport layer security (EAP-TLS) protocol.
Network system. The system of claim 1, wherein the first and second tunnels are established based on user security credentials associated with the client device.
Network system. The system of claim 1, wherein data packets associated with authenticating the client device with the private authentication server are encrypted.
Network system. 7. The method of claim 6, wherein the encrypted data packets are sent unchanged by the public gateway to the private authentication server.
Network system. The method of claim 1, wherein authenticating the client device with the private authentication server includes the exchange of a public-private key pair.
Network system. The system of claim 1, wherein the public public network is a WiMAX wireless network.
Network system. The method of claim 1, wherein the first and second tunnels are IPsec tunnels.
Network system. The method of claim 1, wherein the first and second tunnels allow data to be securely exchanged between the client device and the private network.
Network system. A method implemented by a computer in which a client device securely accesses a private network over a public wireless network, the method comprising:
Establishing a first tunnel to a gateway of the public wireless network connected to the private network;
Authenticating the client device with an authentication server of the private network using the first tunnel, wherein the authentication server is connected to a gateway of the private network; And
Establishing a second tunnel between the client device and the private network gateway.
Computer-implemented method. The system of claim 12, wherein the first and second tunnels are established using a challenge-response authentication protocol.
Computer-implemented method. The system of claim 12, wherein the first and second tunnels are established using Extensible Authentication Protocol (EAP).
Computer-implemented method. 15. The method of claim 14, wherein the scalable authentication protocol is an Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) protocol.
Computer-implemented method. The system of claim 12, wherein the first and second tunnels are based on user security credentials associated with the client device.
Computer-implemented method. The apparatus of claim 12, wherein data packets associated with authenticating the client device with the private authentication server are encrypted.
Computer-implemented method. 18. The method of claim 17, wherein the encrypted data packets are sent unchanged by the public network gateway to the private authentication server.
Computer-implemented method. The method of claim 12, wherein authenticating the client device with the private authentication server includes the exchange of a public-private key pair.
Computer-implemented method. The system of claim 12, wherein the public network is a WiMAX wireless network.
Computer-implemented method. The system of claim 12, wherein the first and second tunnels are IPsec tunnels.
Computer-implemented method. The system of claim 12, wherein the first and second tunnels allow data to be securely exchanged between the client device and the private network.
Computer-implemented method. A program product to a computer in which a client device securely accesses a private network via a public wireless network, the product comprising a computer usable storage medium, the computer usable storage medium being a readable program embodied in the storage medium. Code, the program code,
Establish a first tunnel to a gateway of the public wireless network connected to the public network;
Authenticate the client device with an authentication server of the private network using the first tunnel, wherein the authentication server is connected to a gateway of the private network; And
Operative to establish a second tunnel between the client device and the private network gateway.
Computer program products.

Images